ldap clients
by Gustavo Rios
Hi folks,
i am looking for a tutorial on how to write ldap clients using C language.
May someone in this list give me a reference tutorial ?
Thanks a lot for your time and cooperation.
Best regards,
Gustavo
--
The lion and the tiger may be more powerful, but the wolves do not perform
in the circus
8 months, 1 week
Re: Slow Mod operations on LDAP
by Bhanush Mehta
Hi Quanah,
We see the same issue with 2.4.58 (compiled from source).
The most common operations are
('attr=authTimestamp', 3890)
('attr=pwdFailureTime', 713)
('attr=userPassword', 29)
('attr=memberuid', 22)
('attr=accountExpiryDate', 21)
('attr=pwdAccountLockedTime pwdFailureTime pwdFailureTime
pwdAccountLockedTime', 20)
('attr=pwdAccountLockedTime pwdFailureTime pwdFailureTime', 16)
('dn="cn=DISABLED_USERS,ou=Groups,dc=org,dc=com"', 15)
('attr=member', 15)
I am able to debug that mod operations are fast on a fresh mdb, but after a
certain number of operations the mdb size is going from 300 MB to 10 GB.
And, the time spent per operation is like 1-2 seconds for every mod, and
5-6 seconds when there are a large number of mods. We also use a group for
disabling users, when running mod to add users to that group we are seeing
all ldap binds and other mods slowing as well. We have sortvals enabled for
all groups.
We have the following indexes:
olcDbIndex: objectClass eq
olcDbIndex: entryCSN eq
olcDbIndex: entryUUID eq
olcDbIndex: uid eq
olcDbIndex: uidNumber eq
olcDbIndex: uniqueMember eq
olcDbIndex: gidNumber eq
olcDbIndex: displayName eq
olcDbIndex: cn eq
olcDbIndex: sn eq
olcDbIndex: member eq
Regards
Bhanush
On Mon, Jan 9, 2023 at 9:11 PM Quanah Gibson-Mount <quanah(a)fast-mail.org>
wrote:
>
>
> --On Friday, December 23, 2022 9:06 PM +0530 Bhanush Mehta
> <bhanush.mehta(a)flipkart.com> wrote:
>
> >
> > Hi All,
> >
> > We are seeing very slow MOD operations on our ldap (250 MB data dump),
> > while using mdb (data.mdb is 6.4 Gb). The average MOD operation is going
> > to 8-9 seconds.
> > We are seeing 1k disk ops and 6-7MB/s writes. The disk is 4096 IOPS Sata
> > SSD, we have seen write speed to be 126 MB/s generally.
> >
> > The slapd version is slapd (May 14 2022 18:35:44).
>
> The above is not a valid version. At a guess you're using an OpenLDAP 2.4
> build from Debian, but you'd have to check your package manager to confirm.
>
> It would be helpful to know what the mod operations are doing (I.e.,
> adding
> new attribute values to a multi-valued attribute that has a lot of values
> already, etc)
>
> --Quanah
>
>
>
>
--
*-----------------------------------------------------------------------------------------*
*This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they are
addressed. If you have received this email in error, please notify the
system manager. This message contains confidential information and is
intended only for the individual named. If you are not the named addressee,
you should not disseminate, distribute or copy this email. Please notify
the sender immediately by email if you have received this email by mistake
and delete this email from your system. If you are not the intended
recipient, you are notified that disclosing, copying, distributing or
taking any action in reliance on the contents of this information is
strictly prohibited.*****
****
*Any views or opinions presented in this
email are solely those of the author and do not necessarily represent those
of the organization. Any information on shares, debentures or similar
instruments, recommended product pricing, valuations and the like are for
information purposes only. It is not meant to be an instruction or
recommendation, as the case may be, to buy or to sell securities, products,
services nor an offer to buy or sell securities, products or services
unless specifically stated to be so on behalf of the Flipkart group.
Employees of the Flipkart group of companies are expressly required not to
make defamatory statements and not to infringe or authorise any
infringement of copyright or any other legal right by email communications.
Any such communication is contrary to organizational policy and outside the
scope of the employment of the individual concerned. The organization will
not accept any liability in respect of such communication, and the employee
responsible will be personally liable for any damages or other liability
arising.*****
****
*Our organization accepts no liability for the
content of this email, or for the consequences of any actions taken on the
basis of the information *provided,* unless that information is
subsequently confirmed in writing. If you are not the intended recipient,
you are notified that disclosing, copying, distributing or taking any
action in reliance on the contents of this information is strictly
prohibited.*
_-----------------------------------------------------------------------------------------_
8 months, 1 week
Discovering certificate locations from libldap
by Norman Gray
Greetings.
Should I be able to discover the (default) locations of SSL certificates, via the libldap library?
This can be useful when debugging why cert checks are failing -- where is the library checking? (am I using the library I think I am...?!) Of course dtruss and co can help here.
ldap_get_option with LDAP_OPT_X_TLS_CACERTDIR (and friends) looks like it should say this, but when I explore that, it appears to show only settings added with ldap_set_option, thus only settings overriding a default. And this appears to be confirmed in libraries/libldap/tls_o.c:tlso_ctx_init. That function hands over to SSL functions, and while in principle I could retrieve a TLS session context with LDAP_OPT_X_TLS_{,SSL_}CTX, there are clear warnings that I shouldn't be tinkering with this. The fact that I'm this deep in the code suggests that either (a) this is not supported, or (b) I'm looking in the wrong place.
I could in principle use functions from the OpenSSL library, like X509_get_default_cert_dir_env(), but that requires me to know which SSL library the libldap library was linked against (and that it was indeed OpenSSL), which has its own complications. Also, if I'm confident I know that, I have other ways to confirm the cert directory.
Best wishes,
Norman
--
Norman Gray : https://nxg.me.uk
8 months, 1 week
dynlist vs memberof performance issues
by Mark Cairney
Hi,
I've been out the LDAP loop for a bit but the recent discussion of the
memberof overlay on 2.5 piqued my curiosity. Having upgraded a Dev box,
removed the memberof elements from the database and replaced the
memberof overlay with dynlist the queries appear to work as expected but
are both a) slow and b) heavily CPU-intensive on the LDAP server.
2021-09-01T12:47:17.603513+01:00 bonsai.authorise-dev.is.ed.ac.uk
slapd[30075]: conn=1019 fd=12 ACCEPT from IP=192.168.152.33:58738
(IP=129.215.17.9:636)
2021-09-01T12:47:17.687488+01:00 bonsai.authorise-dev.is.ed.ac.uk
slapd[30075]: conn=1019 fd=12 TLS established tls_ssf=256 ssf=256
tls_proto=TLSv1.3 tls_cipher=TLS_AES_256_GCM_SHA384
2021-09-01T12:47:17.688032+01:00 bonsai.authorise-dev.is.ed.ac.uk
slapd[30075]: conn=1019 op=0 SRCH base="" scope=0 deref=0
filter="(objectClass=*)"
2021-09-01T12:47:17.688470+01:00 bonsai.authorise-dev.is.ed.ac.uk
slapd[30075]: conn=1019 op=0 SRCH attr=supportedSASLMechanisms
2021-09-01T12:47:17.688878+01:00 bonsai.authorise-dev.is.ed.ac.uk
slapd[30075]: conn=1019 op=0 SEARCH RESULT tag=101 err=0 qtime=0.000014
etime=0.000214 nentries=1 text=
2021-09-01T12:47:17.811279+01:00 bonsai.authorise-dev.is.ed.ac.uk
slapd[30075]: conn=1019 op=1 BIND dn="" method=163
2021-09-01T12:47:17.819249+01:00 bonsai.authorise-dev.is.ed.ac.uk
slapd[30075]: conn=1019 op=1 RESULT tag=97 err=14 qtime=0.000030
etime=0.009084 text=SASL(0): successful result:
2021-09-01T12:47:17.908889+01:00 bonsai.authorise-dev.is.ed.ac.uk
slapd[30075]: conn=1019 op=2 BIND dn="" method=163
2021-09-01T12:47:17.909836+01:00 bonsai.authorise-dev.is.ed.ac.uk
slapd[30075]: conn=1019 op=2 RESULT tag=97 err=14 qtime=0.000031
etime=0.000181 text=SASL(0): successful result:
2021-09-01T12:47:17.938839+01:00 bonsai.authorise-dev.is.ed.ac.uk
slapd[30075]: conn=1019 op=3 BIND dn="" method=163
2021-09-01T12:47:17.939621+01:00 bonsai.authorise-dev.is.ed.ac.uk
slapd[30075]: conn=1019 op=3 BIND authcid="mcairney(a)EASE.ED.AC.UK"
authzid="mcairney(a)EASE.ED.AC.UK"
2021-09-01T12:47:17.940213+01:00 bonsai.authorise-dev.is.ed.ac.uk
slapd[30075]: conn=1019 op=3 BIND
dn="uid=mcairney,ou=people,ou=central,dc=authorise-dev,dc=ed,dc=ac,dc=uk"
mech=GSSAPI bind_ssf=256 ssf=256
2021-09-01T12:47:17.940616+01:00 bonsai.authorise-dev.is.ed.ac.uk
slapd[30075]: conn=1019 op=3 RESULT tag=97 err=0 qtime=0.000024
etime=0.000409 text=
2021-09-01T12:47:18.227342+01:00 bonsai.authorise-dev.is.ed.ac.uk
slapd[30075]: conn=1019 op=4 SRCH
base="dc=authorise-dev,dc=ed,dc=ac,dc=uk" scope=2 deref=0
filter="(uid=mcairney)"
2021-09-01T12:47:18.227703+01:00 bonsai.authorise-dev.is.ed.ac.uk
slapd[30075]: conn=1019 op=4 SRCH attr=* +
2021-09-01T12:47:31.392255+01:00 bonsai.authorise-dev.is.ed.ac.uk
slapd[30075]: conn=1019 op=5 UNBIND
2021-09-01T12:47:31.460705+01:00 bonsai.authorise-dev.is.ed.ac.uk
slapd[30075]: conn=1019 op=4 SEARCH RESULT tag=101 err=0 qtime=0.000031
etime=13.233679 nentries=1 text=
2021-09-01T12:47:31.461098+01:00 bonsai.authorise-dev.is.ed.ac.uk
slapd[30075]: conn=1019 fd=12 closed
I'm guessing that as the values are computed that this will be heavier
on the CPU but it seems a bit excessive? Has anyone else noticed any
similar performance issues?
This is a relatively low-specced DEV server (2 vCPUs, 4GB RAM) so I
guess this could be a factor but there's no io waiting on the server and
no swapping?
The database is on a par in size with our Production service ( about
400K user objects with 1 group object per user and then about 80K actual
groups of users)
The config for the primary DB (ACLs and rootPW redacted) is:
dn: olcDatabase={1}mdb,cn=config
objectClass: olcDatabaseConfig
objectClass: olcMdbConfig
olcDatabase: {1}mdb
olcDbDirectory: /opt/openldap/var/openldap-data/authorise
olcSuffix: dc=authorise-dev,dc=ed,dc=ac,dc=uk
olcAddContentAcl: FALSE
olcLastMod: TRUE
olcMaxDerefDepth: 2
olcReadOnly: FALSE
olcSecurity: ssf=1
olcSecurity: update_ssf=112
olcSecurity: simple_bind=64
olcSizeLimit: unlimited
olcSyncUseSubentry: FALSE
olcTimeLimit: unlimited
olcMonitoring: TRUE
olcDbEnvFlags: writemap
olcDbEnvFlags: nometasync
olcDbNoSync: FALSE
olcDbIndex: objectClass eq
olcDbIndex: entryUUID eq
olcDbIndex: entryCSN eq
olcDbIndex: cn pres,eq,sub
olcDbIndex: uid pres,eq,sub
olcDbIndex: uidNumber pres,eq
olcDbIndex: gidNumber pres,eq
olcDbIndex: eduniType eq
olcDbIndex: gecos pres,eq,sub
olcDbIndex: eduniCategory eq
olcDbIndex: mail pres,eq,sub
olcDbIndex: eduniSchoolCode eq
olcDbIndex: eduniIDStatus eq
olcDbIndex: eduniCollegeCode eq
olcDbIndex: eduniOrgCode eq
olcDbIndex: memberOf pres,eq
olcDbIndex: eduniLibraryBarcode pres,eq
olcDbIndex: eduniOrganisation pres,eq,sub
olcDbIndex: eduniServiceCode pres,eq
olcDbIndex: krbName pres,eq
olcDbIndex: eduPersonAffiliation pres,eq
olcDbIndex: eduPersonEntitlement pres,eq
olcDbIndex: sn pres,eq,sub
olcDbIndex: eduniIdmsId pres,eq
olcDbIndex: member pres,eq
olcDbIndex: memberUid pres,eq
olcDbIndex: eduniRefNo pres,eq
olcDbIndex: eduniTitle pres,eq
olcDbIndex: title pres,eq,sub
olcDbIndex: eduniCardNumber pres,eq
olcDbIndex: eduniYearOfStudy eq
olcDbIndex: description pres,eq,sub
olcDbIndex: givenName pres,eq,sub
olcDbIndex: aliasedObjectName eq
olcDbIndex: yubiKeyId pres,eq
olcDbIndex: isMemberOf pres,eq
olcDbIndex: hasMember pres,eq
olcDbIndex: proxyAddresses pres,eq,sub
olcDbMaxReaders: 96
olcDbMaxSize: 32212254720
olcDbMode: 0600
olcDbSearchStack: 16
structuralObjectClass: olcMdbConfig
dn: olcOverlay={0}syncprov,olcDatabase={1}mdb,cn=config
objectClass: olcOverlayConfig
objectClass: olcConfig
objectClass: top
objectClass: olcSyncProvConfig
olcOverlay: {0}syncprov
structuralObjectClass: olcSyncProvConfig
dn: olcOverlay={1}accesslog,olcDatabase={1}mdb,cn=config
objectClass: olcOverlayConfig
objectClass: olcAccessLogConfig
olcOverlay: {1}accesslog
olcAccessLogDB: cn=accesslog
olcAccessLogOps: writes
olcAccessLogPurge: 02+00:00 00+04:00
olcAccessLogSuccess: TRUE
structuralObjectClass: olcAccessLogConfig
dn: olcOverlay={2}dynlist,olcDatabase={1}mdb,cn=config
objectClass: olcOverlayConfig
objectClass: olcDynListConfig
olcOverlay: {2}dynlist
olcDynListAttrSet: {0}groupOfURLs memberURL member+memberOf@groupOfNames
structuralObjectClass: olcDynListConfig
--
/****************************
Mark Cairney
ITI Enterprise Services
Information Services
University of Edinburgh
Tel: 0131 650 6565
Email: Mark.Cairney(a)ed.ac.uk
*******************************/
The University of Edinburgh is a charitable body, registered in Scotland, with registration number SC005336. Is e buidheann carthannais a th’ ann an Oilthigh Dhùn Èideann, clàraichte an Alba, àireamh clàraidh SC005336.
8 months, 1 week
Queries regarding Openldap migration from 2.4.51 to 2.6.2
by Nagesh Nikavade (EXT-NSB)
Hi Team,
We are migrating openldap from 2.4.51 to 2.6.2 and we have the following queries
1. What is the End of life date for 2.4.x series?
2. OpenLdap 2.6.x doesn't have BDB Data base Support but has MDB, but in our existing machines where 2.4.51 is installed. Our data is populated in ".BDB" files. So is there is any guide where and how our data will be migrated from .BDB format to .MDB format ?
3. There is a utility db_verify which verifies .BDB files which is not working for .MDB files. What is utility to verify .MDB data files?
Best Regards,
Nagesh
8 months, 1 week
newer TLS clients (> 3.0?) can't connect to OpenLDAP's TLS with SSSD
by Jarett DeAngelis
hi - using OpenLDAP 2.6.3 and finding that newer LDAP client libraries (like the one that comes with Ubuntu 22.04.1 LTS) can't complete a connection to the LDAP server's TLS port. A machine I have running Rocky 8.6, however, with OpenSSL 1.1.1k, connects just fine. This is using self-generated certificates, but the correct CA cert and server cert have been provided to SSSD to use for login. The two machines are using identical certificates and SSSD configuration files.
How do we begin to troubleshoot this? The trouble is seen in the SSSD log:
(2023-01-09 21:08:26): [be[default]] [fo_resolve_service_send] (0x0100): [RID#13] Trying to resolve service 'LDAP'
(2023-01-09 21:08:26): [be[default]] [get_server_status] (0x1000): [RID#13] Status of server '10.8.8.60' is 'name not resolved'
(2023-01-09 21:08:26): [be[default]] [get_port_status] (0x1000): [RID#13] Port status of port 636 for server '10.8.8.60' is 'neutral'
(2023-01-09 21:08:26): [be[default]] [fo_resolve_service_activate_timeout] (0x2000): [RID#13] Resolve timeout [dns_resolver_timeout] set to 6 seconds
(2023-01-09 21:08:26): [be[default]] [get_server_status] (0x1000): [RID#13] Status of server '10.8.8.60' is 'name not resolved'
(2023-01-09 21:08:26): [be[default]] [set_server_common_status] (0x0100): [RID#13] Marking server '10.8.8.60' as 'resolving name'
(2023-01-09 21:08:26): [be[default]] [check_if_online_delayed] (0x2000): [RID#12] Check online req created.
(2023-01-09 21:08:26): [be[default]] [set_server_common_status] (0x0100): [RID#13] Marking server '10.8.8.60' as 'name resolved'
(2023-01-09 21:08:26): [be[default]] [be_resolve_server_process] (0x1000): [RID#13] Saving the first resolved server
(2023-01-09 21:08:26): [be[default]] [be_resolve_server_process] (0x0200): [RID#13] Found address for server 10.8.8.60: [10.8.8.60] TTL 7200
(2023-01-09 21:08:26): [be[default]] [sdap_uri_callback] (0x0400): [RID#13] Constructed uri 'ldaps://10.8.8.60:636'
(2023-01-09 21:08:26): [be[default]] [sssd_async_socket_init_send] (0x4000): [RID#13] Using file descriptor [23] for the connection.
(2023-01-09 21:08:26): [be[default]] [sssd_async_socket_init_send] (0x0400): [RID#13] Setting 60 seconds timeout [ldap_network_timeout] for connecting
(2023-01-09 21:08:26): [be[default]] [sss_ldap_init_sys_connect_done] (0x0020): [RID#13] ldap_install_tls failed: [Connect error] [unknown error]
(2023-01-09 21:08:26): [be[default]] [sss_ldap_init_state_destructor] (0x0400): [RID#13] calling ldap_unbind_ext for ldap:[0x55c44d26c1b0] sd:[23]
(2023-01-09 21:08:26): [be[default]] [sss_ldap_init_state_destructor] (0x0400): [RID#13] closing socket [23]
(2023-01-09 21:08:26): [be[default]] [sdap_sys_connect_done] (0x0020): [RID#13] sdap_async_connect_call request failed: [5]: Input/output error.
(2023-01-09 21:08:26): [be[default]] [sdap_handle_release] (0x2000): [RID#13] Trace: sh[0x55c44d24a740], connected[0], ops[(nil)], ldap[(nil)], destructor_lock[0], release_memory[0]
(2023-01-09 21:08:26): [be[default]] [_be_fo_set_port_status] (0x8000): [RID#13] Setting status: PORT_NOT_WORKING. Called from: ../src/providers/ldap/sdap_async_connection.c: sdap_cli_connect_done: 1633
(2023-01-09 21:08:26): [be[default]] [fo_set_port_status] (0x0100): [RID#13] Marking port 636 of server '10.8.8.60' as 'not working'
(2023-01-09 21:08:26): [be[default]] [fo_set_port_status] (0x0400): [RID#13] Marking port 636 of duplicate server '10.8.8.60' as 'not working'
Thanks,
Jarett
8 months, 1 week
Help for filter in openldap server
by baalchina
Hi, all
I had a old openldap server from my colleague, and I am studying the
server.
I found a strange problem, when I using client(ldapadmin in Windows), I can
filter by uid, objectClass,sn or anything else, but except inetUserStatus.
For example, when I searching by 'sn=*', or 'sn=Jim', which jim is the
exact name of my user, I will got the correct result.
But when I searching by 'inetUserStatus=Inactive' or
'inetUserStatus=Active', nothing happens.
I also tried 'inetUserStatus=*', and got the whole ldap users.
The same happens in the memberOf attribute, which 'memberOf=*' got the
whole users, and 'memberOf=cn=ABC*' got nothing. (My ldap users all have a
attribute of 'memberOf: cn=ABC,ou=Groups,dc=abc,dc=cn'.
So, what should I do if I want to using this two attribute memberOf and
inetUserStatus?
Thanks a lot.
--
from:baalchina
8 months, 2 weeks
Slow Mod operations on LDAP
by Bhanush Mehta
Hi All,
We are seeing very slow MOD operations on our ldap (250 MB data dump),
while using mdb (data.mdb is 6.4 Gb). The average MOD operation is going to
8-9 seconds.
We are seeing 1k disk ops and 6-7MB/s writes. The disk is 4096 IOPS Sata
SSD, we have seen write speed to be 126 MB/s generally.
The slapd version is slapd (May 14 2022 18:35:44).
We the following olcDbIndex for eq: objectClass, entryCSN , entryUUID eq,
uid , uidNumber , uniqueMember ,gidNumber , memberUid ,displayName ,cn ,sn
, member, source , supervisor ,accountExpiryDate
And, sortVals for memberUid and member.
Regards
Bhanush
--
*-----------------------------------------------------------------------------------------*
*This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they are
addressed. If you have received this email in error, please notify the
system manager. This message contains confidential information and is
intended only for the individual named. If you are not the named addressee,
you should not disseminate, distribute or copy this email. Please notify
the sender immediately by email if you have received this email by mistake
and delete this email from your system. If you are not the intended
recipient, you are notified that disclosing, copying, distributing or
taking any action in reliance on the contents of this information is
strictly prohibited.*****
****
*Any views or opinions presented in this
email are solely those of the author and do not necessarily represent those
of the organization. Any information on shares, debentures or similar
instruments, recommended product pricing, valuations and the like are for
information purposes only. It is not meant to be an instruction or
recommendation, as the case may be, to buy or to sell securities, products,
services nor an offer to buy or sell securities, products or services
unless specifically stated to be so on behalf of the Flipkart group.
Employees of the Flipkart group of companies are expressly required not to
make defamatory statements and not to infringe or authorise any
infringement of copyright or any other legal right by email communications.
Any such communication is contrary to organizational policy and outside the
scope of the employment of the individual concerned. The organization will
not accept any liability in respect of such communication, and the employee
responsible will be personally liable for any damages or other liability
arising.*****
****
*Our organization accepts no liability for the
content of this email, or for the consequences of any actions taken on the
basis of the information *provided,* unless that information is
subsequently confirmed in writing. If you are not the intended recipient,
you are notified that disclosing, copying, distributing or taking any
action in reliance on the contents of this information is strictly
prohibited.*
_-----------------------------------------------------------------------------------------_
8 months, 2 weeks
OpenLDAP stats logging performance degradation
by Christopher Paul
Hello OpenLDAP-Technical,
Using the oldie but goodie LDAP performance testing tool, SLAMD, I've been doing performance tests. What I found was that stats logging (olcLogLevel: 256) degrades performance significantly. A pity, because it is recommended in the manual. Also, it considered very useful by those of us who've been running OpenLDAP for a while.
The test was performed on Dell Workstation Intel Xeon E-2630 v3 @ 2.40Ghz Xen 4.6.5 hypervisor running Linux 4.4.0 Ubuntu 16.04, 4 vcpus pinned to the hypervisor and the other 12 pinned to the OpenLDAP VM. The OpenLDAP VM was allocated 8GB RAM and runs OpenLDAP 2.5.13 (Symas RPM build) on RedHat 8.7. Ten thousand fake users were created in an OU=FakePeople for testing.
I am aware that contention with disk I/O can cause problems, so I tried eliminating systemd-journald and rsyslogd in order to test "pure OpenLDAP" response times but was not perfectly successful. I ran slapd in the foreground using "slapd -d 256 ... 2>/dev/null". But then I noticed that systemd-journald still was logging to "session-4.scope". I tried "systemctl stop systemd-journald" and "systemctl stop systemd-journald.socket" and "systemctl stop systemd-journald-dev-log.socket" but was not able to stop systemd-journald from showing up using CPU in "htop". I tried limiting it also by setting RateLimitIntervalSec=1s and RateLimitBurst=1 in /etc/system/journald.conf. This reduced the logging but I still saw "/usr/lib/system/systemd-journald" taking 100% of one vcpu during the performance tests whenever olcLogLevel was set to 256.
The test results I will include with this post are from the Asynchronous Search Rate SLAMD job class using LDAPSearch filters of valid random values for indexed attributeTypes "uid" and "mail" matching exact filters (equality match).
Using LogLevel 256, the Asynchronous Search Rate test with 3 clients, 2 connection threads each (from laptop i7-1280P vPro Processor), OpenLDAP returned an average 10,932 results completed per second with err=0 and average 21ms response time.
Then I ran ldapmodify to changetype: replace olcLogLevel to 0, reran the same test, and saw OpenLDAP perform much better. The same test with olcLogLevel=0 returned 84,286 results per second with err=0 (671% increase) and average response time of 2.6 ms (88% decrease). Watching "htop" during this test showed all vcpus firing a lot more evenly and hotter than the test with olcLogLevel=256; it was very clear how efficient slapd can be without having to do any logging.
I ran several samples of each test and picked the best for each of olcLogLevels I tested. I ran other tests like 3 and 4 clients times 50 connections each, also ran Basic Bind Rate and saw similar patterns there. I don't mind sharing my configs or the test data if anyone is interested.
And so naturally, I am wondering if this is a known limitation and also whether it is something that can be addressed or is a hard constraint. I guess I had expected some impact as a result of logging (nothing comes for free...) but not this much.
Thanks,
Chris Paul | Rex Consulting | https://www.rexconsulting.net
8 months, 3 weeks
